Hi, Guys:
Does anyone have an idea what is up with all the "unsigned packages"? I have installed FC4T1, but running "yum update" on it gets stuck with this:
........ Downloading Packages: unsigned package gdb-6.3.0.0-1.9.i386.rpm
(it's not important which package is this, there are literally dozens and dozens of these)
Seth, can we make yum not to abort when it sees an unsigned package? Or at the very least it would be a huge improvement if it printed ALL unsigned packages before quitting, and not just the first one.
-- Pete
On Sun, 2005-04-03 at 21:31 -0700, Pete Zaitcev wrote:
Seth, can we make yum not to abort when it sees an unsigned package?
Put a line with "gpgcheck=0" in your /etc/yum.repos.d/fedora-devel.repo file. Rawhide is pretty much always mostly unsigned...
Or at the very least it would be a huge improvement if it printed ALL unsigned packages before quitting, and not just the first one.
Hmm, that's an interesting idea. However, the only place you should really hit unsigned packages is (hopefully) Rawhide, and if you don't update to the unsigned packages you're not getting much of Rawhide anyways... Because of this I'm not really sure of how useful this would end up being.
/Per
On 04/03/2005 09:31:54 PM, Pete Zaitcev wrote:
Hi, Guys:
Does anyone have an idea what is up with all the "unsigned packages"? I have installed FC4T1, but running "yum update" on it gets stuck with this:
........ Downloading Packages: unsigned package gdb-6.3.0.0-1.9.i386.rpm
(it's not important which package is this, there are literally dozens and dozens of these)
Seth, can we make yum not to abort when it sees an unsigned package?
Packages in rawhide are not always signed. Change /etc/yum.conf
there is a setting called "gpgcheck"
change it from 1 to 0 to turn off signature checking.
On Sun, 2005-04-03 at 21:31 -0700, Pete Zaitcev wrote:
Hi, Guys:
Does anyone have an idea what is up with all the "unsigned packages"? I have installed FC4T1, but running "yum update" on it gets stuck with this:
........ Downloading Packages: unsigned package gdb-6.3.0.0-1.9.i386.rpm
(it's not important which package is this, there are literally dozens and dozens of these)
Seth, can we make yum not to abort when it sees an unsigned package? Or at the very least it would be a huge improvement if it printed ALL unsigned packages before quitting, and not just the first one.
We had that discussion with FC3 devel (or was it FC2?) already -- I argued that we should somehow ensure that all packages leaving the build system (i.e. getting pushed) would be signed with at least some key to ensure package integrity while others argued that this would somehow suggest a level of quality in the package which isn't given. The discussion didn't lead anywhere tangible unfortunately.
Nils
On Mon, 2005-04-04 at 09:18 +0200, Nils Philippsen wrote:
We had that discussion with FC3 devel (or was it FC2?) already -- I argued that we should somehow ensure that all packages leaving the build system (i.e. getting pushed) would be signed with at least some key to ensure package integrity while others argued that this would somehow suggest a level of quality in the package which isn't given. The discussion didn't lead anywhere tangible unfortunately.
It seems to me that the purpose of the sig is not so much as a guarantee of quality, as opposed to an insurance that the package hasn't been tampered (especially if you are pulling packages off of mirrors). Granted, that isn't how everyone else may interpret it, but I'd rather see all rawhide packages signed so that if I'm pulling from a mirror I can feel reasonably assured that someone isn't slipping some badness into my firefox update or whatever.
On 04/04/2005 06:33:28 AM, David Hollis wrote:
On Mon, 2005-04-04 at 09:18 +0200, Nils Philippsen wrote:
We had that discussion with FC3 devel (or was it FC2?) already -- I argued that we should somehow ensure that all packages leaving the
build
system (i.e. getting pushed) would be signed with at least some key
to
ensure package integrity while others argued that this would
somehow
suggest a level of quality in the package which isn't given. The discussion didn't lead anywhere tangible unfortunately.
It seems to me that the purpose of the sig is not so much as a guarantee of quality, as opposed to an insurance that the package hasn't been tampered (especially if you are pulling packages off of mirrors). Granted, that isn't how everyone else may interpret it, but I'd rather see all rawhide packages signed so that if I'm pulling from a mirror I can feel reasonably assured that someone isn't slipping some badness into my firefox update or whatever.
Exactly - that's the purpose of a signature, verify that it comes from a trusted source. The GPL which most software is shipped as specifically states there is no guarantee of quality, a signature does not change that ... but a signature does say that the package has not been tampered with between the signing server and the mirror my yum client grabbed it from.